Much more information would be needed to determine why a given file has a given permission, starting with the types of files you’re talking about. For the sake of both functionality and security, I suggest you not mess with the permissions unless you know exactly what you’re doing and why.
This sounds like more of a coding / scripting question than a Virtualmin question.
Ok. A little more information:
The question appeared when I happened to see that basically all files in a new Wordpress site had permission -rwxr-x— (executable) while corresponding files in an older version had -rw-r ----- (not executable)
I know files like xxxxx.sh need to be executable. PHP files, however, do not.
Therefore, I would like to know why the PHP files in this case are.
I use PHP-FPM if that matters.
I’m afraid that answer will have to wait for someone more expert than I am about Wordpress (which likely would be any of 99 people in any random group of 100).